CVE-2026-30241

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are parsed and executed without invoking the depth validation. This allows a remote client to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event. This issue has been patched in version 16.8.0.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mercurius-js/mercurius/commit/5b56f60f4b0d60780b0ff499a479bd830bdd6986	Patch
https://github.com/mercurius-js/mercurius/security/advisories/GHSA-m4h2-mjfm-mp55	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mercurius_project:mercurius:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-06 22:16

Updated : 2026-03-12 15:16

NVD link : CVE-2026-30241

Mitre link : CVE-2026-30241

CVE.ORG link : CVE-2026-30241

JSON object : View

Products Affected

mercurius_project

mercurius

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-30241", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T22:16:01.587", "references": [{"url": "https://github.com/mercurius-js/mercurius/commit/5b56f60f4b0d60780b0ff499a479bd830bdd6986", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mercurius-js/mercurius/security/advisories/GHSA-m4h2-mjfm-mp55", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are parsed and executed without invoking the depth validation. This allows a remote client to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event. This issue has been patched in version 16.8.0."}, {"lang": "es", "value": "Mercurius es un adaptador GraphQL para Fastify. Antes de la versi\u00f3n 16.8.0, Mercurius no aplica el l\u00edmite de queryDepth configurado en las consultas de suscripci\u00f3n GraphQL recibidas a trav\u00e9s de conexiones WebSocket. La verificaci\u00f3n de profundidad se aplica correctamente a las consultas y mutaciones HTTP, pero las consultas de suscripci\u00f3n se analizan y ejecutan sin invocar la validaci\u00f3n de profundidad. Esto permite a un cliente remoto enviar consultas de suscripci\u00f3n anidadas arbitrariamente profundas a trav\u00e9s de WebSocket, eludiendo la restricci\u00f3n de profundidad prevista. En esquemas con tipos recursivos, esto puede llevar a una denegaci\u00f3n de servicio a trav\u00e9s de la resoluci\u00f3n exponencial de datos en cada evento de suscripci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 16.8.0."}], "lastModified": "2026-03-12T15:16:45.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mercurius_project:mercurius:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D17316EB-4DF9-485E-87DC-C84C68FAC0AF", "versionEndExcluding": "16.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}